US2012255009A1PendingUtilityA1
Method and apparatus for combating malicious code
Est. expirySep 17, 2024(expired)· nominal 20-yr term from priority
H04L 63/1441G06F 21/566
40
PatentIndex Score
0
Cited by
0
References
0
Claims
Abstract
A method and apparatus are provided for combating malicious code. In one embodiment, a method for combating malicious code in a network includes implementing a leap-ahead technique to defend against the malicious code reaching a full saturation potential in the network, by sending alert messages to a group of peers, and reselecting the membership of that group from time to time.
Claims
exact text as granted — not AI-modified1 . A method for combating self-propagating malicious code in a network, the method comprising:
detecting a suspected worm within the network; sending an alert message regarding said worm to a group of one or more peers; and reselecting a membership in said group at a later time period, such that one or more reselected peers in said group at said later time period is different from said one or more peers in said group, wherein at least one of: said detecting, said sending, or said reselecting is performed using a processor.
2 . The method of claim 1 , wherein said detecting further comprises:
detecting a resource limitation exceeded in said network.
3 . The method of claim 2 , wherein said resource limitation includes a number of outbound connections made by a node in said network per unit of time.
4 . The method of claim 2 , wherein said detecting further comprises:
receiving at least one alert message from at least one peer, wherein the at least one alert message contains information regarding the resource limitation that is exceeded.
5 . The method of claim 1 , further comprising:
implementing a defensive action when a threshold amount of suspected malicious code activity is observed.
6 . The method of claim 5 , wherein said defensive action is halted if said suspected malicious code activity is observed to fall below said threshold amount.
7 . The method of claim 5 , wherein said threshold amount is adjustable.
8 . The method of claim 5 , wherein said defensive action is an enablement of a filter to selectively block network traffic meeting defined characteristics.
9 . The method of claim 8 , wherein said defined characteristics correspond to characteristics of packets dropped in accordance with said limiting.
10 . The method of claim 9 , wherein said defined characteristics include at least one of: a port/protocol pair representing a dominant target port/protocol used by outbound packets during a time at which a violation of a resource usage threshold is detected, an average datagram size sent during said time at which said violation of said resource usage threshold is detected, or a standard deviation of datagrams sent during said time at which said violation of said resource usage threshold is detected.
11 . The method of claim 10 , further comprising:
denying at least one incoming packet corresponding to said dominant target port/protocol.
12 . The method of claim 5 , further comprising:
modifying an alert level counter after sending the alert message, and wherein said implementing a defensive action is performed at least partly based on a value of the alert level counter.
13 . The method of claim 12 , wherein an amount by which the value of the alert level counter is modified depends at least partly on a severity of the suspected worm.
14 . The method of claim 1 , further comprising:
receiving one or more alert messages from one or more peers in said network, said one or more alert messages indicating a detection of said suspected worm.
15 . The method of claim 1 , wherein said reselecting comprises:
periodically re-computing said group.
16 . The method of claim 1 , wherein said sending comprises:
determining whether to suppress or send the alert message depending on a value of a hold off counter; and modifying the value of the hold off counter after sending the alert message, by an amount corresponding to a period of time during which additional alert messages are to be suppressed.
17 . The method of claim 16 , wherein the amount by which the value of the hold off counter is modified is dependent on a severity of suspected malicious activity.
18 . The method of claim 1 , wherein the group comprises a subset randomly selected from among a plurality of peers.
19 . The method of claim 1 , wherein said reselecting is performed by a hierarchical coordinator function.
20 . The method of claim 1 , wherein said reselecting is performed by said one or more peers.
21 . A computer readable storage device containing an executable program for self-propagating combating malicious code in a network, the method comprising:
detecting a suspected worm within the network; sending an alert message regarding said worm to a group of one or more peers; and reselecting a membership in said group at a later time period, such that one or more reselected peers in said group at said later time period is different from said one or more peers in said group.
22 . Apparatus for combating self-propagating malicious code in a network, the apparatus comprising:
a processor for detecting a suspected worm violation within the network; and an output device for sending an alert message regarding said worm to a group of one or more peers; and a hierarchical coordinator for reselecting a membership in said group at a later time period, such that one or more reselected peers in said group at said later time period is different from said one or more peers in said group.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.